Metadata from a different partition layout can be easily made on the host. Standard GPT partition tools, e.g.
sgdisk, can create the MBR and GPT tables in a (sparse) file image. Such an image can be made with
truncate. Or one could just write code in Python, it is very easy. There is absolutely no need to use loopback devices or root access to do this.
Placing the individual partitions in such a whole flash image is also trivial. It can be done with
conv=notrunc options, or trivial python code. Even better, when using
mke2fs, use the
offset option to place the sparse extfs image into the correct location directly without the need to create a system.img file first.
I do not believe it is the case that there are partitions that can not be created on the host, unless there is some encryption that I do not know about. What encryption I see so far is done host side.
It is true that eMMC is not just one image. Usually eMMC has multiple areas: user area, two boot areas, and a RPMB area. Normally people only know about user area, so maybe the use of the boot area is where this notion, apparently false, that an image of eMMC can not be made has come from. The boot areas appear in Linux as
/dev/mmcblk0boot and can also be accessed in U-Boot.
I am also highly confident, based on the logs and also knowing in detail how this works on other systems, that one does not really flash eMMC via the USB recovery interface. The USB recovery interface is more limited and only supports uploading data into the processor’s address space, i.e. sram or dram, and programming registers. So the USB interface is used to load in a bootloader and run it. Then that bootloader uses USB to communicate with the host to load and flash data.
So this idea that one can only write to all of eMMC via USB recovery is nonsense. eMMC is always being written by software running on the CPU. It just uses the USB2 port, which fragile, slow, and hard to use remotely, and can only communicate with proprietary software on a host running as root that is also hard to use remotely. It could easily be more capable software, like Linux, that does this flashing, using the more robust, faster, and easier to use remotely gigabit ethernet or wifi interfaces and with far more possibilities in how the process is controlled.
The boot area has 18 partitions. This includes the mb1 and mb2 bootloaders. There is also a secondary GPT at the end, even though it does not appear to have a primary GPT or the protective MBR. Maybe this is some kind of proprietary nvidia modified GPT partitioning system. 13 of these partitions are encrypted. The two mb1 partitions appear to use a different encryption format than the other 11 encrypted partitions.
The user area has 33 partitions. Plus the MBR, GPT and 2nd GPT. Of these 5 are not flashed (fbname, recovery, recovery backup, recrootfs, and uda). Most are encrypted. The kernel-bootctrl, bmp, and APP are not. I bet one could hack the system with a fuzzed splash image, since that data is not signed or encrypted. The sc7 warmboot partitions appear to use a different format than the other encrypted partitions.
I haven’t yet compared two TX2s to see what differences there are. It does not look like device specific encryption is being used.